Organizations must wake up to typosquatting, where sensitive email correspondences and data can be unwittingly lost

InfoWorld|Jun 25, 2012

New York-based law firm Gioconda Law Group has filed a lawsuit against self-proclaimed cyber security developer Arthur Kenzie for allegedly using typosquatting tactics to set up a bogus Web domain for intercepting email messages intended for the firm.

Kenzie has similarly set up so-called doppelganger domains to harvest emails intended for companies such as McDonalds, MasterCard, NewsCorp, and McAfee, the law firm alleges.

According to Gioconda, which specializes in IP protection law, Kenzie registered the domain name GiocondoLaw.com, which is strikingly similar to the firm's actual domain, GiocondaLaw.com. Kenzie has allegedly used the doppelganger domain to create fake email accounts with which to intentionally intercept private emails addressed to the firm's lawyers and staff.

The law firm is seeking $1 million for violating numerous federal laws pertaining to cyber squatting, trademark infringement, and unlawful interception of a law firm's private electronic communications.

The email honeypot technique puts a new twist on typosquatting, which is commonly used by scammers to divert clumsy-fingered users to bogus sites after they mistype a URL. Researchers at security think tank Godai Group demonstrated late last year how effective this tactic can be: They set up their own email servers using various doppelganger domains. Unwitting users then sent legitimate email to fake domains. In the span of six months, the group collected more than 120,000 individual emails, which included trade secrets, business invoices, employee PII, network diagrams, usernames, passwords, and so forth.

This isn't the first time Kenzie has found himself in legal peril for similar misdeeds: He purchased the domain names LockheedMarton.com and LockheedMartun.com in July 2011 to intercept emails intended for defense contractor Lockheed Martin. Kenzie claimed he had been performing research about Lockheed's email vulnerabilities. The ruling panel, however, determined that Kenzie's actions were motivated by a bad-faith attempt to extort money, and ordered him to hand over the domains to Lockheed Martin. According to GoDaddy.com, Kenzie is also the owner of such domains as rnysql.com, rnonster.com, and tor-porject.org.

"It is obvious that it was [Kenzie] that created the alleged vulnerability of [Lockheed Martin's] trademark, and his purpose was to offer services to the [the company], looking for a financial gain," according to the ruling.

Kenzie took issue with the panel's ruling: "Clearly I did create an exploit for this vulnerability, but that in itself does not cause me to be some malevolent black hat. The only way to gather evidence was to create the exploit, and what I do with the eventual evidence (if there is any) is what determines the legitimacy or good/bad faith of my efforts," he wrote.

He didn't appeal the decision: "I think the cost and effort of doing this is out of scope right now for what I am trying to learn and to accomplish."

Earlier this year, Kenzie purportedly contacted HD Moore (chief security Officer at Rapid7 and chief architect of Metasploit) regarding a similar "email vulnerability" for Moore's personal domain, digitaloffense.net. In the ensuing email exchange, Kenzie informed Moore that he had intercepted six email messages and offered to sell the doppelganger domain to Moore for $295, along with a "negotiated or mediated non-improvident fee in consideration of my expertise in bringing this vulnerability to [his] attention and in ensuring that no malevolent entity is able to exploit it for their own purposes."

When Moore didn't respond, Kenzie allegedly informed Moore that he planned on "posting something on my blog about your vulnerability," saying that his goal was to "increase awareness."

Regardless of how this particular case plays out, it should serve as a wake-up call to organizations about the threat of typosquatting. Having users end up on malicious websites when they're attempting to access a legitimate company site is bad enough. Unwittingly losing sensitive email correspondences and data can be even costlier.